feat(docker): scan/inspect passifs des stacks Compose (tâche 2 SJ-4)

- 4 tables Docker (settings/compose_roots/compose_stacks/stack_services)
  + migration 0004 (timestamps journal monotones)
- templates docker/scan-compose + inspect-compose ; renderTemplate bascule
  sur délimiteurs <% %> pour les templates docker/ afin de préserver les
  Go-templates {{.ID}} intacts
- dockerScan: parseDockerScan (TDD) + scanDockerStacks (persiste stacks
  candidats, complète la détection par labels)
- action docker_scan branchée dans execute (route dédiée, archivage report/log)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

server/db/schema.ts

@@ -226,3 +226,54 @@ export const machineHostKeys = sqliteTable("machine_host_keys", {
   firstSeenAt: text("first_seen_at").notNull(),
   lastSeenAt: text("last_seen_at").notNull(),
 });
+
+// --- SJ-4 : Docker (passif) ---
+export const dockerSettings = sqliteTable("docker_settings", {
+  machineId: text("machine_id").primaryKey().references(() => machines.id, { onDelete: "cascade" }),
+  enabled: integer("enabled").notNull().default(0),
+  scanDepth: integer("scan_depth").notNull().default(4),
+  pruneMode: text("prune_mode").notNull().default("safe"),
+  lastScanAt: text("last_scan_at"),
+  lastPullCheckAt: text("last_pull_check_at"),
+  updatedAt: text("updated_at").notNull(),
+});
+
+export const dockerComposeRoots = sqliteTable("docker_compose_roots", {
+  id: text("id").primaryKey(),
+  machineId: text("machine_id").notNull().references(() => machines.id, { onDelete: "cascade" }),
+  path: text("path").notNull(),
+  enabled: integer("enabled").notNull().default(1),
+  scanDepth: integer("scan_depth"),
+  createdAt: text("created_at").notNull(),
+  updatedAt: text("updated_at").notNull(),
+});
+
+export const dockerComposeStacks = sqliteTable("docker_compose_stacks", {
+  id: text("id").primaryKey(),
+  machineId: text("machine_id").notNull().references(() => machines.id, { onDelete: "cascade" }),
+  name: text("name").notNull(),
+  workingDir: text("working_dir").notNull(),
+  composeFilesJson: text("compose_files_json").notNull(),
+  projectName: text("project_name"),
+  envFile: text("env_file"),
+  status: text("status").notNull(),          // candidate | enabled | ignored | error
+  detectedBy: text("detected_by"),           // root_scan | label | manual
+  lastScanAt: text("last_scan_at"),
+  lastUpdateAt: text("last_update_at"),
+  createdAt: text("created_at").notNull(),
+  updatedAt: text("updated_at").notNull(),
+});
+
+export const dockerStackServices = sqliteTable("docker_stack_services", {
+  id: text("id").primaryKey(),
+  stackId: text("stack_id").notNull().references(() => dockerComposeStacks.id, { onDelete: "cascade" }),
+  serviceName: text("service_name").notNull(),
+  imageRef: text("image_ref"),
+  currentImageId: text("current_image_id"),
+  currentDigest: text("current_digest"),
+  candidateImageId: text("candidate_image_id"),
+  candidateDigest: text("candidate_digest"),
+  versionLabel: text("version_label"),
+  status: text("status"),                    // up_to_date | updates_available | error
+  updatedAt: text("updated_at").notNull(),
+});